Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Keeping secrets in your infrastructure pipeline

Rosemary Wang
December 09, 2020
Technology
1
150

Keeping secrets in your infrastructure pipeline

Presented at GitHub Universe, December 9, 2020.

You’ve set up your infrastructure as code in GitHub Actions to securely test and deploy to production. One year later, you discover the account keys you used for automation have been compromised! In a panic, you scramble around multiple repositories looking for where you used the account keys and throw together a script to rotate them. You start to wonder, “is there a better way I could have managed my secret?” In this talk, you’ll learn how to manage secrets in your infrastructure pipeline using HashiCorp Vault and Terraform with GitHub Actions. By using Vault’s dynamic secrets engines, you can rotate, audit, and manage the lifecycle of your infrastructure account keys and API tokens. In addition to managing service account keys for Terraform automation, we’ll cover how Vault can generate secrets such as database passwords for creating infrastructure resources.

Rosemary Wang

December 09, 2020
Tweet

More Decks by Rosemary Wang

See All by Rosemary Wang
Secure Day 2 operations with Boundary and Vault
joatmon08
0
15
Can You Test Your Infrastructure as Code?
joatmon08
1
51
Multi-Account, Multi-Region, Multi-Runtime
joatmon08
1
21
Building a multi-account, multi-runtime service-oriented architecture
joatmon08
0
26
Choose Your Own Abstraction: Iterating on Developer Experience
joatmon08
0
31
Break Glass, Repair Fast, Reconcile Automation
joatmon08
2
40
Building a Developer Platform? Ask these questions.
joatmon08
0
27
From Cloud-Hosted to Cloud-Native
joatmon08
0
53
Refactoring Applications for Dynamic Secrets
joatmon08
1
37

Other Decks in Technology

See All in Technology
Incident Response Practices: Waroom's Features and Future Challenges
rrreeeyyy
0
160
TanStack Routerに移行するのかい しないのかい、どっちなんだい! / Are you going to migrate to TanStack Router or not? Which one is it?
kaminashi
0
570
Python(PYNQ)がテーマのAMD主催のFPGAコンテストに参加してきた
iotengineer22
0
470
社内で最大の技術的負債のリファクタリングに取り組んだお話し
kidooonn
1
550
SREによる隣接領域への越境とその先の信頼性
shonansurvivors
2
510
B2B SaaSから見た最近のC#/.NETの進化
sansantech
PRO
0
670
スクラム成熟度セルフチェックツールを作って得た学びとその活用法
coincheck_recruit
1
140
初心者向けAWS Securityの勉強会mini Security-JAWSを9ヶ月ぐらい実施してきての近況
cmusudakeisuke
0
120
サイバーセキュリティと認知バイアス:対策の隙を埋める心理学的アプローチ
shumei_ito
0
380
障害対応指揮の意思決定と情報共有における価値観 / Waroom Meetup #2
arthur1
5
470
Application Development WG Intro at AppDeveloperCon
salaboy
0
180
OCI Network Firewall 概要
oracle4engineer
PRO
0
4.1k

Featured

See All Featured
Design and Strategy: How to Deal with People Who Don’t "Get" Design
morganepeng
126
18k
KATA
mclloyd
29
14k
Writing Fast Ruby
sferik
627
61k
GraphQLの誤解/rethinking-graphql
sonatard
67
10k
Measuring & Analyzing Core Web Vitals
bluesmoon
4
120
ReactJS: Keep Simple. Everything can be a component!
pedronauck
665
120k
Designing for humans not robots
tammielis
250
25k
Exploring the Power of Turbo Streams & Action Cable | RailsConf2023
kevinliebholz
27
4.3k
Code Review Best Practice
trishagee
64
17k
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
tammyeverts
47
2.1k
Optimizing for Happiness
mojombo
376
70k
Ruby is Unlike a Banana
tanoku
97
11k

Transcript

  1. Copyright © 2020 HashiCorp Keeping Secrets in your Infrastructure Pipeline

    GitHub Universe | December 2020

  2. Infrastructure Pipeline Continuous Integration pipeline for infrastructure as code. @joatmon08

  3. @joatmon08 PLAN SECURITY TESTS UNIT TESTS APPLY BUILD & DEPLOY

    INTEGRATION TESTS

  4. These secrets are a year old… I think? @joatmon08

  5. @joatmon08 PLAN SECURITY TESTS UNIT TESTS APPLY BUILD & DEPLOY

    INTEGRATION TESTS I COMMITTED THE DATABASE PASSWORD TO GITHUB!

  6. Plan R 1.Regret 2.Revoke 3.Rotate 4.Reference 5.Replace 6.Re-run @joatmon08

  7. Rosemary Wang (She/Her) Developer Advocate at HashiCorp joatmon08.github.io @JOATMON08 JOATMON08

    LINKEDIN.COM/IN/ ROSEMARYWANG

  8. Service Accounts Logs into infrastructure provider (e.g., service account keys

    or API tokens) Resource Attributes Passed to infrastructure resources (e.g., database passwords or certificates) Generated Secrets Created by infrastructure pipeline (e.g., random passwords or tokens)

  9. Service Accounts Logs into infrastructure provider (e.g., service account keys

    or API tokens) Resource Attributes Passed to infrastructure resources (e.g., database passwords or certificates)

  10. Use a Secrets Manager @joatmon08

  11. Plan R 1.Regret 2.Revoke 3.Rotate 4.Reference 5.Replace 6.Re-run @joatmon08 Secrets

    Manager Pipelines You!

  12. @joatmon08 PLAN SECURITY TESTS UNIT TESTS APPLY BUILD & DEPLOY

    INTEGRATION TESTS GET SECRETS AUTHENTICATE TO SECRETS MANAGER SECRETS INJECTION

  13. @joatmon08 PLAN SECURITY TESTS UNIT TESTS APPLY BUILD & DEPLOY

    INTEGRATION TESTS GET SECRETS AT PATH AUTHENTICATE TO VAULT VAULT GITHUB ACTION SECRETS INJECTION

  14. @joatmon08 HCP (VAULT ON AWS) AMAZON WEB SERVICES AWS RDS

    (POSTGRESQL) Key Value Secrets Engine GITHUB AppRole Auth Method Database Secrets Engine GET READ-ONLY CREDENTIALS FOR APPLICATION Infrastructure Pipeline AWS Secrets Engine /PIPELINE /BOOTSTRAP /AWS /CREDS /PIPELINE TOKEN CREATE MANAGED DATABASE LOG INTO VAULT WITH PIPELINE ROLE AND SECRET AWS STS PEERED NETWORKS (PRIVATE)

  15. github.com/joatmon08/ infrastructure-pipeline @joatmon08

  16. References ▪ github.com/hashicorp/vault-action ▪ learn.hashicorp.com/tutorials/terraform/github-actions ▪ hashicorp.com/cloud-platform ▪ vaultproject.io/docs/secrets/aws ▪

    vaultproject.io/docs/secrets/kv ▪ vaultproject.io/docs/secrets/databases/postgresql ▪ hashicorp.com/resources/secure-gitops-workflows-with-github-actions- and-hashicorp-vault @joatmon08